关于JavaScript注入问题 [英] Questions about Javascript injection
问题描述
我一直在阅读上asp.net的MVC学习网站关于JavaScript注入和男人是大开眼界。
I been reading on asp.net mvc learning site about JavaScript injection and man it is an eye opener.
我从来没有意识到如何使用JavaScript做一些怪异的屁股注入攻击某人/想法。
I never even realized/thought about someone using JavaScript to do some weird ass injection attacks.
但是,由于它给我留下了一些悬而未决的问题。
It however left me with some unanswered questions.
首先
当你用html.en code?就像你使用它,只有当你要显示该用户或其他一些用户提交的信息?
When do you use html.encode? Like do you use it only when you are going to display information that that user or some other user had submitted?
还是我用它的一切。就像说我有表单,用户提交,将永远不会显示该信息的任何用户,我应该还在使用html.en code?
Or do I use it for everything. Like say I have form that a user submits, this information will never be displayed to any of the users, should I be still using html.encode?
怎么会不喜欢它,我不知道如何把里面说的和Html.TextBox()的html.en code标记。
How would I do it like I am not sure how to put inside say and Html.TextBox() the html.encode tag.
二
会发生什么事说,我有我的网站上丰富的HTML编辑器。允许用户使用它,使事情变得大胆而不管。现在,我想通过一个标签来显示信息返回给用户。我不能Html.En code它,因为那么所有的大胆和东西会不会被渲染。
What happens say I have on my site a rich html editor. The user is allowed to use it and make things bold and whatever. Now I want to display information back to the user through a label. I can't Html.Encode it since then all the bold and stuff will not be rendered.
不过,我不能离开它喜欢它是自什么会阻止用户添加一些JavaScript攻击呢?
Yet I can't leave it like it is since what would stop a user to add some Javascript attack?
所以,你会怎么办?使用正则表达式过滤掉所有的标签?
So what would I do? Use Regex to filter out all tags?
第三
有也可以用称为AntiforgeryToken另一个标签时,你会使用这一个?
There is also another tag you can use called "AntiforgeryToken" when would you use this one?
感谢
修改
几乎每个人都认为使用白名单和黑名单我怎么会写这个名单,并将其与传入值(在C#示例将是不错)?
Almost everyone says use a "White List" and "Black List" how would I write this list and compare it to incoming values(examples in C# would be nice)?
推荐答案
好问题!
-
有关第一个答案,我会考虑寻找<一href=\"http://stackoverflow.com/questions/53728/will-html-encoding-$p$pvent-all-kinds-of-xss-attacks\">here在previous被问到的问题。作为回答讨论,使用HTML恩code不会彻底保护您免受所有XSS攻击。为了解决这个问题,你应该考虑使用的Microsoft Web防护库(的 AntiXSS 尤其是),可从Microsoft。
For the first answer, I would consider looking here at a previous asked question. As the answer discusses, using HTML Encode will not protect you completely against all XSS attacks. To help with this, you should consider using the Microsoft Web Protection Library (AntiXSS in particular), available from Microsoft.
前面已经提到,允许使用标签的列表做,把其他人的最好的事情被剥离出来。
As has already been mentioned, using a list of allowed tags is the best thing to do, leaving others to be stripped out.
该AntiforgeryToken令牌工程,以prevent请求伪造(CSRF),因为它为用户提供网页时公布其对所呈现的表单字段验证的cookie。没有任何理由,我知道那意味着你不能在所有的形式使用。
The AntiforgeryToken token works to prevent request forgery (CSRF) because it gives the user a cookie which is validated against the rendered form field when the page is posted. There's no reason that I am aware of that means that you can't use this in all of your forms.
这篇关于关于JavaScript注入问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
